Best practices for LDAP scalability with Symantec Brightmail Gateway
|Article:HOWTO25859|||||Created: 2010-01-24|||||Updated: 2013-02-27|||||Article URL http://www.symantec.com/docs/HOWTO25859|
If using the directory data service in a large or distributed environment, consider the following best practices to improve system performance and scalability:
Set the cache size based on the system's needs and memory availability. Symantec recommends that this value is set to equal to or greater than the number of users and groups in the environment. This number should include distribution lists, contacts, public folders, and any other LDAP entry that lists a deliverable email address or a username.
The Monitor swap space utilization alert triggers when swapping exceeds the specified utilization. Use the swap alert to make sure that the systems have adequate RAM for all Symantec Brightmail Gateway processes, including the directory data service cache.
The default value to trigger this alert is 50% and can be modified as needed. For high performance deployments that are adequately provisioned with memory, there should be little or no swap space utilization. Symantec recommends setting the swap space alert threshold to only a few percent for such deployments
See Types of alerts.
For most deployments, caches can be built gradually through normal system activity with adequate system performance and preloading the cache is not necessary. For some deployments with very large directories or slow LDAP connections, however, the preloader can be used to avoid temporary performance problems that may occur while a very large cache is built.
Adequate spread smooths out the load on the LDAP servers by randomizing the expiration of cache entries. Refreshes that occur too frequently can increase processing time, but failing to refresh often enough results in stale data. Work with the directory administrator to determine the right refresh rate for the system.
Disabling Distribution list expansion can significantly increase mail delivery throughput. If Distribution list expansion is disabled, however, distribution lists are not resolved into their individual members for policy evaluation.
This means that mail sent to a distribution list is subject only to the policies associated with the distribution list itself (either through an email address or a distinguished name). The policies associated with its individual members are not applied, even if they have higher precedence.
If a data source cache is cleared or a configuration change is made to the policy groups or a directory data source, the Symantec Brightmail Gateway must reload group information from the directory. This can result in the growth of inbound or outbound message queues.
For most deployments this process takes only a few seconds and results in an insignificant queue backup if any at all. However, in cases where LDAP access is slow, or the policy groups references many thousands of LDAP users, a noticeable backup can occur. For best performance, Symantec recommends to use the default group to implement the most common behavior and then assign specific policies to smaller groups as necessary.
The larger the scope of the query, the longer the searches take. Poor query performance for quarantine address resolution can lead to a backup in delivery queues. Poor query performance for address resolution can cause inbound or outbound queues to back up.
If the data source uses the Active Directory Global Catalog, be sure to configure the directory data service to use the global catalog port (default 3268) instead of the domain controller port (default 389).
See Adding a data source.
In an environment where Scanners hosts are located outside the firewall and LDAP servers reside inside the firewall, it is possible to speed up connection and query times by setting up replicas of those LDAP servers outside the firewall and near the Scanners in the network.
Figure: Mail configuration example for a firewalled server provides an example of a firewalled server configuration and how it might be possible to use an LDAP server replica to improve processing time.
Article URL http://www.symantec.com/docs/HOWTO25859